WebSphere Application Server (Version 9.0.5.3 here) allows you to add TLS certificates to a custom truststore NodeDefaultTrustStore in the WebUI that is then used by the applications running on the server. That is: Both the IBM JDKs truststore as well as the custom truststore are somehow merged and used when making SSL connections in a Java app running on WAS.

That was working fine for all our backends (DB, LDAP, Webservices etc), except for one and that one was using okhttp to make the connection. It first failed with no matching cipher (which was easily fixed by adding com.ibm.jsse2.overrideDefaultTLS=true) and then failed with a PKIX error when trying to find a valid certification path. Turns out okhttp does not use both truststores, but only the JDK one without my custom CA.

What I found out:

1. If you get the TrustManager the following way, you will always end up with the JDK certs only. The certs in the custom truststore would not be there.

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init((KeyStore) null);

2. Getting a SSLSocketFactory using SSLContext.getInstance("SSL").getSocketFactory() will also give you the JDK certs only.

3. I tried hard to find a way to get the TrustManager out of socket factories (with reflection) but only succeeded when running on the IBM JDK on the command line. When running on a WebSphere server, the SSLSocketFactory you get looks complete different again and does not seem to contain a TrustManager object... see #2427 (comment) for the cmdline approach.

4. I found a way to get a SSLSocketFactory though that does work! HttpsURLConnection.getDefaultSSLSocketFactory() gives you one that queries both TrustStores!

I now have it working using something like this:

tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init((KeyStore) null);

defaultJDKTrustmanger = trustManagerFactory.getTrustManagers()

...

builder.sslSocketFactory(HttpsURLConnection.getDefaultSSLSocketFactory(), defaultJDKTrustmanger)

The obvious problem here: HttpsURLConnection gives you the correct trusts, where defaultJDKTrustmanger contains only the JDKs trusted certs.

This has implications for certificate pinning and other things you want to check yourself.

Is there a way to get the NodeDefaultTrustStore using some official/inofficial Java API from my code? Or is this a bug in WAS or the IBM JDK?

#Support
#SupportMigration
#WebSphereApplicationServer(WAS)

Hello, I think that you are using a little different terminology than what I normally see around this topic so maybe my comments and answer could be a little off from what you are thinking or looking for. But, with traditional WebSphere Application Server, I don't think you can have an outbound SSL connection that looks in the trust.p12 (nodedefauttruststore) and cacerts(JVM default) for signers to match from SSL Servers, but if you got that working it is interesting ;-) There is a feature that allows something like that now in Liberty.

From a question on how to program outbound SSL connections I think you are looking for information on the JSSEHelper API... check out these links for some information (note the first one talks about WebSphere Application Server version 6.1, which is very old, but the details in this area are still mostly accurate):

SSL, certificate, and key management enhancements for even stronger security in WebSphere Application Server V6.1

https://www.ibm.com/developerworks/websphere/techjournal/0612_birk/0612_birk.html

Programmatically specifying an outbound SSL configuration using JSSEHelper APIhttps://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.5/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_ssloutconfiguseJSSE.html

#Support
#SupportMigration
#WebSphereApplicationServer(WAS)

I double checked again: When I connect to a https server with a self-signed certificate using the HttpsURLConnection.getDefaultSSLSocketFactory() method, I get a certificate error as I would expect. I then added the certificate to the trust.p12/NodeDefaultTrustStore, restart my app and it can connect just fine without certification error.

So I guess my question is: Why does it work with HttpsURLConnection.getDefaultSSLSocketFactory() and not with SSLContext.getInstance("SSL").getSocketFactory() ?

As I mentioned above: I got it working. I'm just trying to figure out if this is a bug, because it is working in one way and not in another. (and I have no idea how to report this in another way)

#Support
#SupportMigration
#WebSphereApplicationServer(WAS)

Forgot to mention that I also tried to get the IBM trustmanagers directly:

TrustManagerFactory trustManagerFactoryIbmPKIX = TrustManagerFactory.getInstance("IbmPKIX");

         trustManagerFactoryIbmPKIX.init((KeyStore) null);

I tried IbmPKIX, PKIX, SunPKIX, IbmX509, and the default one.

I then went through all the certificates in each truststore with getAcceptedIssuers: None of them contained my self-signed cert. I also tried importing a CA into trust.p12, but it is also not present in any of the trustmanagers

#Support
#SupportMigration
#WebSphereApplicationServer(WAS)

WebSphere Application Server (WAS) is a software product that performs the role of a web application server. More specifically, it is a software framework and middleware that hosts Java-based web applications. It is the flagship product within IBM's WebSphere software suite.

#Support
#SupportMigration
#WebSphereApplicationServer(WAS)